Heartbleed

heartbleed

The Heartbleed vulnerability has been all over the news this past week. As usual, the media sometimes twists the facts, sometimes intentionally, other times inadvertently. For example, I’ve heard Heartbleed being called a virus, or being framed as something that was deliberately created to be malicious.  Also, from reading people’s comments on the online news articles and blog posts, it seems that many people don’t really understand what Heartbleed is or does.  From my point of view as a software developer, I would like to provide some information and resources that I believe are true and report the facts (but as I’m not an expert in the field of encryption/security, you may also want to take these with a grain of salt).

Heartbleed explained

What Heartbleed is simply a software bug. Sure, there are bugs in nearly all, if not all, software out there (obviously we developers try not to introduce bugs, but we humans are unfortunately imperfect 🙁 ), but what makes this particular bug newsworthy?

  1. This particular bug is a vulnerability, which allows a malicious attacker to gain information that should not be accessible.
  2. The bug is in a library (called OpenSSL) that is used in a number of programs that in turn are run on a large number of computers worldwide.
  3. The vulnerability has been out in the wild for two years.
  4. There’s no trace left behind by a malicious attacker exploiting this vulnerability.

I came across this XKCD comic last night. I think it’s a pretty simple way to understand what the Heartbleed vulnerability allows a malicious attacker to do.

Heartbleed Explanation - XKCD comic
Heartbleed Explanation – XKCD comic

The comic illustrates the case where the victim is the “server” and the malicious attacker is the “client.”   This is the case that most people are concerned with, as it is likely that servers running the exploitable software are easier to find and will probably have more “interesting” data in the memory.  The data could potentially be usernames and passwords, credit card information, or encryption keys, but on the other hand it could also be just bogus data that happened to also be in memory.  The data that the attacker could gain really depends on what happens to be in adjacent memory at that time.

However, the vulnerability exists both ways (if the software on the “client” is using a vulnerable version of OpenSSL).  You could be owning a device or running a program on your computer that might allow a “server”, which has been maliciously programmed, to read memory off of your device using the same exploit.  For example,  Android 4.1.1 devices are susceptible to Heartbleed.

Although web servers are the most common targets being mentioned, there are other services that could possibly be affected by Heartbleed including FTP servers and mail servers.

If you are interested in the nitty gritty details behind how the exploit works, CloudFlare has an article on the low-level details (just disregard the fact that they say that private keys aren’t accessible because they were disproved on that point).  For higher level information on Heartbleed, the heartbleed.com site has very clear information and a nice FAQ.  Troy Hunt also has an informative FAQ about Heartbleed.

What to do about it

For end users

Since there is no trace when an attacker exploits Heartbleed compounded by the fact that Heartbleed has been vulnerable for over two years, it’s not possible to determine exactly what data has been compromised.  In addition, if encryption keys were gleaned from Heartbleed, it is possible for even more data to be compromised by decrypting historic logs (if they exist in the hands of the attacker).

So for end users, the precautionary recommendation is to change your passwords after the services that were affected have been patched.  Mashable has a running list of the status of popular web services that you can use to determine whether to change your password.  In case you use a service that isn’t listed there, you can check it yourself on Filippo Valsorda’s test site.  However, keep in mind that not only web services are affected.  There are recommendations not to login to services that are still known to be vulnerable because when you login there is a chance that your credentials will be placed in memory, which is susceptible to be read.  In addition, ensure that all the software and operating systems you are running are up to date.

For system administrators, developers and service providers

Obviously, ensuring that OpenSSL is up to date or patched is top priority. Troy Hunt provides some additional advice in his blog post.

Heartbleed and the goto fail and GnuTLS bugs

Heartbleed isn’t related to the Apple goto fail or the GnuTLS bug we’ve seen in the past couple months.  The goto fail and GnuTLS bugs are susceptible to man-in-the-middle attacks where a malicious intruder can pretend to be the trusted service you’re communicating with and intercept messages between you and the service.  Heartbleed on the other hand allows attackers to read parts of the computer’s memory that they should not have access to.

OpenSSL and open source projects

OpenSSL is an open-source project with eleven volunteer developers, maintaining one of if not the most used SSL/TLS libraries, probably on their own time.  I think they should be respected for taking on the heavy responsibilities of this project.

Open-source projects allow external developers to read the source code and even submit improvements and contributions.  Depending on the project, there are different procedures to getting contributions accepted, usually including a code review process where the core maintainers ensure that the contributions work as intended and meet the standards of the project (kind of like how a newspaper editor goes over the articles of his writers before they get published).  Since humans aren’t 100% perfect, bugs and mistakes unfortunately happen, as much as we try not to allow them.

While it is possible to order security audits of software, for open-source projects that usually don’t generate any profit, it is difficult to come up with the money.  I remember when we got a security audit for MyBB, it was in the order of thousands of dollars.

Conclusion

There is a lot of information about the Heartbleed vulnerability on the news and media, and from reading the comments on many of the blog posts and news articles I have read, many people don’t really understand what Heartbleed is and its implications.  I hope that this article sheds a little bit of light on that, and provides more resources for those who want to dig a little deeper in understanding it.

The hello world hackathon project

This past week, the co-op students at A Thinking Ape participated in an internal hackathon where they had two days to develop something to show the rest of the company.

Among the games and tools that resulted, one project stood out to me: a hello world app.  Yes, a hello world app. (For those not in the software development field, “hello world” is usually the first output that developers code when trying out a new platform or language.)

It had a white background, black text that said “Hello World,” and a green button that was labeled, “I am a button.”  It was built using Microsoft’s latest platform that supports writing universal Windows apps that can be run on Windows phones, tablets, and desktop computers.

What stood out to me was the way he presented this simple app.  He described the app not as any other hello world app, but one with a button and that it was green!  As he went on, he told us that the green button was also “self aware,” because it was labeled describing itself as a button.

Then he went on to clicking the button.  The text that appeared below said, “You clicked the button, ” or something to that effect.  He described this like predicting the future, but in reverse!

He finally proceeded to show us that how it looked on a phone simulator.

By the end of it, many of us were quite entertained by the way this seemingly simple and ordinary project was described.  This presentation reminded me of the  “reality distortion field” Steve Jobs had when he presented his keynotes (here’s one when Steve Jobs revealed Safari for Windows in 2007).

This example is to show that no matter what kind of product you have, the way you present it to people and the way you market it has a great effect on what the audience will feel and remember about the product.

Debugging NSNotifications on iOS

For iOS developers, this is a really cool technique.  Sometimes you want to see all the NSNotifications that get posted in your app, whether it is for debugging, or to see the timing of where listeners can be hooked in.  Using breakpoints in Xcode will allow us to inspect the notifications.

Xcode console
Some system notifications (both public and private), and some application notifications being generated at the boot of iTMAC

Follow this procedure to set it up:

  1. In Xcode, open the breakpoints panel on the left sidebar.
  2. Click the + icon at the bottom left of the panel.  Select “Add Symbolic Breakpoint…
  3. Enter the following details:
    Symbol: -[NSNotificationCenterpostNotificationName:object:userInfo:]
  4. Click Add Action and enter the following details:
    Debugger Command: po $r2
    This prints out the 3rd parameter (internally speaking) — the name of the notification.  The first two parameters if you’re curious are the NSNotificationCenter instance, and the command/message.
    Updated June 7, 2015: If you are getting error: use of undeclared identifier '$r2' try using po $arg3 instead.
  5. Select “Automatically continue after evaluating“.

Your breakpoint settings should look like this:
Xcode NSNotification breakpoint settings

You will then need to run the application on a device (sorry, this doesn’t work on the simulator). Note that if your application produces many notifications constantly, the speed of the application will be significantly slower, due to the breakpoints being processed. To work around this, you can disable the breakpoint until you get to the place where you want to analyze the notifications.

When frames are too many

I was digging around my backups and came across this mockup of a site my friend and I worked on ten years ago, but never published.  This was when Microsoft FrontPage was still around, frames were OK, and <blink>, <marquee> and animated GIFs were the rage, and when the whole world used Internet Explorer.

I guess it didn’t occur to us back then that nine frames were eight frames too many.  Oh, have times changed 🙂

Odyssey Web Mockup with 9 frames

Today, HTML framesets are rarely used.  Server-side scripting such as PHP is used to replicate common code across multiple pages.  Client-side alternatives such as CSS positioning and overflow allow elements on the page to be statically attached to the window, or to have internal contents overflow with scrollbars automatically.  Browsers such as Firefox and Chrome have dominated the browser market share.

Using Mac’s Automator to Make Diffing Easier

Recently I’ve been needing an easy way to paste two versions of a text, and get the differences between the texts, specifically changes within a line (most diff programs only show which lines have changed).  After some searching, DiffMerge came up as one of the best free diff programs that would work on the Mac.  DiffMerge is great in many aspects, however, it lacked the interface to paste in text to diff right off the start.

I set out using Mac’s Automator tool to create an application to prompt the user for two texts, create the temporary files, then pass it into DiffMerge.

AutomatorPasteDiffAutomator is a very easy to use visual scripting tool that you can use to create workflows that can be automated (hence the name).  Also, it comes with all Macs!  As great as Automator seems to be, there are some drawbacks: the actions aren’t too customizable, and the flow of data within the workflow is strictly “output” of one action to the “input” of the next.

I came up with the following workflow:

  1. Get value of a pseudo-variable – random identifier
  2. Set the value of the random identifier into a variable so the same identifier can be referenced later (subsequent steps refer to this value as just the “identifier”)
  3. Ask for base text
  4. Store base text in a temporary file (using the identifier as part of the filename)
  5. Ask for new text
  6. Store new text in a temporary file (using the identifier as part of the filename)
  7. Get value of the identifier
  8. Run a custom shell script to open up diffmerge with the files created in the steps above.  Passing in the identifier as an argument of the shell script allows us to figure out the name of the temporary files.  The shell script also removes the temporary files when DiffMerge is closed.

The result was quite successful.  Here is what DiffMerge looks like after pasting in two SQL dumps into the Automator application.  Notice the temporary filename.

PasteDiffI’ve uploaded the app to do this on my GitHub account.  It’s called “PasteDiff.app”.  You can download them, and open the apps in Automator in order to see precisely the actions used.

Many times, computers programs are born out of necessity to reduce repetitive or menial tasks.  For Mac users, Automator’s a nifty tool that can help with that.

If you have used Automator for anything cool, let me know in the comments!